Unable to Route LAN Traffic Through VPN

Context:

I’m running OpenWRT on my router, and I successfully configured StrongSwan for IKEv2 VPN. The VPN connection works fine, and I can connect without issues. However, I’m unable to route traffic from my LAN devices through the VPN (using a VTI interface).

I’ve tried several solutions, including adding NAT rules and routes, but nothing seems to work. At one point, I even lost internet connectivity completely and couldn’t reconnect to the VPN.


Current Configuration:

  1. IPsec Config (ipsec.conf):
conn ivpn
    keyexchange=ikev2
    keyingtries=%forever
    dpdaction=restart
    dpddelay=300s
    inactivity=36000s
    rekey=no
    forceencaps=yes
    authby=secret
    ike=aes256-sha256-modp2048
    esp=aes256-sha256
    left=192.168.1.1
    leftsourceip=%config
    leftsendcert=always
    leftauth=eap-mschapv2
    rightfirewall=yes
    rightauth=pubkey
    right=se1.gw.ivpn.net
    rightid=se1.gw.ivpn.net
    rightsubnet=0.0.0.0/0
    rightsendcert=always
    eap_identity=zaza
    auto=add
    mark=42
    leftupdown=/usr/libexec/ipsec/_updown_vti
  1. IPsec Secrets (ipsec.secrets):
ZAZA : EAP "PASS"
  1. **VTI Interface Creation (Custom Script /usr/libexec/ipsec/_updown_vti):**I created a script to handle the VTI interface:
#!/bin/sh

case "$PLUTO_VERB" in
up-client)
    ip link add vti-vpn type vti local $PLUTO_INTERFACE remote $PLUTO_PEER
    ip link set vti-vpn up
    ip addr add 169.254.0.1/30 dev vti-vpn
    ip route add 0.0.0.0/1 dev vti-vpn
    ip route add 128.0.0.0/1 dev vti-vpn
    ;;
down-client)
    ip link del vti-vpn
    ;;
esac
  1. Firewall Configuration (/etc/config/firewall):
config forwarding
    option src 'lan'
    option dest 'vpn'

config zone
    option name 'vpn'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option network 'vpn'
  1. iptables NAT Rule (Added manually and in firewall.user):
iptables -t nat -A POSTROUTING -o ip_vti0 -j MASQUERADE
  1. Routing Table Before and After Adding Routes (Manually):
  • Before adding routes manually:
ip route
default via 100.104.0.1 dev pppoe-wan proto static
100.104.0.1 dev pppoe-wan proto kernel scope link src ip adress
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
  • After adding routes manually:
ip route add 0.0.0.0/1 dev ip_vti0
ip route add 128.0.0.0/1 dev ip_vti0

ip route
0.0.0.0/1 dev ip_vti0 scope link
default via 100.104.0.1 dev pppoe-wan proto static
100.104.0.1 dev pppoe-wan proto kernel scope link src ip adress 
128.0.0.0/1 dev ip_vti0 scope link
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
  1. Issue After Reboot: After every reboot, the routes and NAT rules disappear, and I lose internet connectivity or I’m unable to reconnect to the VPN.

What I’ve Tried:

  • I added the routes manually and via the script in /etc/rc.local and /etc/firewall.user to ensure they persist after a reboot.
  • NAT rules were added to iptables manually, and I checked using iptables -t nat -L -v to ensure they exist.
  • VTI interface (ip_vti0) is up after I manually set it up, but LAN traffic is still not routing through the VPN.
  • Checked routing and iptables NAT rules, but traffic still isn't being routed through the VPN after reboot.
  • Firewall forwarding from LAN to VPN is set up correctly, but it doesn't seem to be routing traffic through the VPN.
  • At one point, I lost connectivity completely and couldn’t reconnect to the VPN, so I had to reset some configurations.

Key Issue:

The VPN connection works fine, but the LAN traffic isn’t being routed through the VPN, and after every reboot, the routes and NAT rules disappear. I need a reliable method to:

  1. Route all LAN traffic through the VPN.
  2. Ensure the configuration persists after a reboot.

Request for Help:

Can someone provide a detailed guide or troubleshooting steps to ensure that LAN traffic is routed through the VPN on OpenWRT and that the routes/NAT persist after reboots? I feel like I might be missing something in the routing or firewall configuration.


Thanks in advance for your help!


Additional Info:

If needed, I can provide logs from logread | grep charon and other diagnostics.

in the interfaces advanced section for wan you have to unselect 'Use default gateway' for the normal wan (you might want to not use those dns servers also)

also it's 0.0.0.0/0 for the default route not 0.0.0.0/1

and if you havent you need to make a route to make sure that the host can access the vpn and doesn't go through the default route eg...

ip route add [ip of the vpn server]/32 via 100.104.0.1

Hi there!

I followed all the steps you suggested:

  1. Added a route for the VPN server:
ip route add [VPN_SERVER_IP]/32 via [WAN_GATEWAY] dev pppoe-wan
  1. Added the default route via the VPN interface:
ip route add 0.0.0.0/0 dev ip_vti0
  1. Disabled "Use default gateway" in the WAN interface settings

Before rebooting, the internet worked, but the VPN was not routing traffic to LAN. I could access the internet, but traffic from my LAN was not being routed through the VPN.

After I rebooted the network, the internet stopped working completely, and I couldn't reconnect to the VPN anymore. It seems like after the reboot, none of the configurations were applied, and everything just stopped.

Here are the logs and outputs before the reboot:


ip route output before reboot:

default dev ip_vti0 scope link
[VPN_SERVER_IP] via [WAN_GATEWAY] dev pppoe-wan
[WAN_GATEWAY] dev pppoe-wan proto kernel scope link src [EXTERNAL_IP]
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1

iptables -t nat -L -v output:

Chain PREROUTING (policy ACCEPT [X] packets, [X] bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT [X] packets, [X] bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT [X] packets, [X] bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT [X] packets, [X] bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  any    ip_vti0  192.168.1.0/24       anywhere

After the network reboot, both the internet and the VPN connection were lost, and I could not reconnect to the VPN.

Could you help me figure out what's going wrong? It seems like after the reboot, the settings don’t persist, and I'm stuck without internet or VPN routing.

Thanks in advance!

I feel like my configuration might not be correct

If anyone has a working setup for IKEv2 that successfully routes LAN traffic through the VPN, even if it's done using a different method, I would really appreciate it if you could share it. I would love to try it on my setup and see if it works

Here is the IVPN setup guide and links to the certificates..

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

My problem is not with the connection, but with the transfer of traffic from the LAN to the VPN

Here are the configuration files you requested. I’ve redacted sensitive information, such as passwords, MAC addresses, and Wi-Fi SSIDs.


1. System Info:

ubus call system board
{
    "kernel": "5.15.150",
    "hostname": "OpenWrt",
    "system": "ARMv7 Processor rev 0 (v7l)",
    "model": "ZyXEL NBG6817",
    "board_name": "zyxel,nbg6817",
    "rootfs_type": "squashfs",
    "release": {
        "distribution": "OpenWrt",
        "version": "23.05.3",
        "revision": "r23809-234f1a2efa",
        "target": "ipq806x/generic",
        "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
    }
}

2. Network Configuration:

cat /etc/config/network

config interface 'loopback'
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd20:6606:63c9::/48'

config device
    option name 'br-lan'
    option type 'bridge'
    list ports 'eth1.1'

config device
    option name 'eth1.1'
    option macaddr 'XX:XX:XX:XX:XX:XX'  # Redacted MAC address

config interface 'lan'
    option device 'br-lan'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

config device
    option name 'eth0.2'
    option macaddr 'XX:XX:XX:XX:XX:XX'  # Redacted MAC address

config interface 'wan'
    option device 'eth0.2'
    option proto 'pppoe'
    option username 'REDACTED'  # Redacted PPPoE username
    option password 'REDACTED'  # Redacted PPPoE password
    option ipv6 '0'
    option peerdns '0'
    list dns '1.1.1.1'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '1 2 3 4 6t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '5 0t'

config interface 'vpnos'
    option proto 'none'
    option device 'ip_vti0'

3. Wireless Configuration:

cat /etc/config/wireless

config wifi-device 'radio0'
    option type 'mac80211'
    option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
    option channel '36'
    option band '5g'
    option htmode 'VHT80'
    option disabled '1'

config wifi-iface 'default_radio0'
    option device 'radio0'
    option network 'lan'
    option mode 'ap'
    option ssid 'REDACTED'  # Wi-Fi SSID redacted
    option encryption 'none'

config wifi-device 'radio1'
    option type 'mac80211'
    option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
    option channel 'auto'
    option band '2g'
    option htmode 'HT20'
    option cell_density '0'

config wifi-iface 'default_radio1'
    option device 'radio1'
    option network 'lan'
    option mode 'ap'
    option ssid 'REDACTED'  # Wi-Fi SSID redacted
    option encryption 'psk2+ccmp'
    option key 'REDACTED'  # Wi-Fi password redacted

4. DHCP Configuration:

cat /etc/config/dhcp

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option filterwin2k '0'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option nonegcache '0'
    option cachesize '1000'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
    option nonwildcard '1'
    option localservice '1'
    option ednspacket_max '1232'
    option filter_aaaa '0'
    option filter_a '0'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv4 'server'
    option dhcpv6 'server'
    option ra 'server'
    option ra_slaac '1'
    list ra_flags 'managed-config'
    list ra_flags 'other-config'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'
    option loglevel '4'

5. Firewall Configuration:

cat /etc/config/firewall

config defaults
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option synflood_protect '1'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    list network 'lan'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    list network 'wan'

config zone
    option name 'vpn'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option masq '1'
    option mtu_fix '1'
    list network 'vpnos'

config forwarding
    option src 'lan'
    option dest 'wan'

config forwarding
    option src 'lan'
    option dest 'vpn'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'IPSec-ESP'
    option src 'wan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'IPSec-IKE'
    option src 'wan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config rule
    option name 'IPSec-NAT-T'
    option src 'wan'
    option dest_port '4500'
    option proto 'udp'
    option target 'ACCEPT'

Also, here are the details of my current IKEv2 StrongSwan configuration on OpenWRT. I’ve included the ipsec.conf, strongswan.conf, and my custom ipsec.user script


1. ipsec.conf

config setup
    charondebug="ike 2, knl 2, cfg 2, net 2"

conn lan-passthrough
    leftsubnet=192.168.1.0/24  
    rightsubnet=192.168.1.0/24  
    authby=never  
    type=pass  
    auto=route  

conn ivpn
    keyexchange=ikev2
    keyingtries=%forever
    dpdaction=restart
    dpddelay=300s
    inactivity=36000s
    rekey=no
    forceencaps=yes
    authby=secret
    ike=aes256-sha256-modp2048
    esp=aes256-sha256
    left=192.168.1.1
    leftsourceip=%config
    leftsendcert=always
    leftauth=eap-mschapv2
    rightfirewall=yes
    rightauth=pubkey
    right=xxx  
    rightid=xxx
    rightsubnet=0.0.0.0/0
    rightsendcert=always
    eap_identity=xxxx
    mark=42
    auto=add

2. strongswan.conf

# strongswan.conf - strongSwan configuration file

charon {
    load_modular = yes
    install_routes = yes
    install_virtual_ip = yes
    plugins {
        include strongswan.d/charon/*.conf
    }
}

include strongswan.d/*.conf
include /var/ipsec/strongswan.conf

3. Custom ipsec.user script

case "$PLUTO_VERB" in
up-client)
    iptables -t nat -A postrouting_wan_rule -s 192.168.1.0/24 -m policy --dir out --pol none -j SNAT --to-source "$PLUTO_MY_SOURCEIP4_1"
    ;;
down-client)
    iptables -t nat -F postrouting_wan_rule
    ;;
esac
# This file is interpreted as a shell script.
# Put your custom IP rules here, they will
# be executed with each call to the script
# /usr/lib/ipsec/_updown which by default
# strongswan executes.